SecServerSignature provides absolutely no security whatsoever. Zero.

In fact, not only does SecServerSignature provide no additional “layer of protection”, it actually reduces security, by definition. Any secret piece of information (server type/version) constitutes a point of potential compromise. As such, fewer secrets makes for a more secure system since there are fewer potential compromises.

Additionally, by changing your web server’s signature, and causing it to misidentify itself, you’re breaking anything that depends on that data being accurate. Much like web applications that have branching logic for different browsers, there are things that have branching logic for different servers. Not to mention skewing web services that report on market share, adoption rates, and such of web servers across the internet.

You should always come from the perspective of an attacker already having intimate details of your system, and you should plan from there, accordingly. Attempting to hide this information is a fool’s errand, does not increase security at all, and detracts from time that could have been spent on implementation actual security improvements. If you’re not 100% secure with them having intimate details of your system, you’re not secure, period.

While I appreciate that you’re promoting security, I feel that you’re doing the community a disservice by promoting security through obscurity. I think we’d be much better off if your writings focused on things you’ve already mentioned that actually do materially increase security: regular updates, software firewalls, secure configurations, etc.

Security through obscurity is wrong and dangerous.
- Wrong because it isn’t security in any way.
- Dangerous because misinformation like this makes people think they are taking valid security measures when they are not.

I’m very disappointed to see this kind of incorrect material being spread here.

There is no danger in letting people know that you use Apache, but do they need to know that?

One of the basic security principles are “least privilege” and “need to know”, meaning give your users the least privilege and least amount of information they need to know to do their job.

A visitor to your web site has no need to know which web server you are running, which application, os, etc…

Just taking security one step forward (not through obscurity, but WITH obscurity)

There is a danger in letting people know which version of Apache you are using, particularly if it’s out of date. Exposing the version doesn’t increase how vulnerable you are but it does reduce the time it would take an attacker to find the vulnerability in your installation.

The same goes for PHP and any modules you have installed that announce themselves in the headers.

add this to your conf for the same effect
server.tag = “lighttpd”

and force-reload to take effect.